United States Treasury Department Says it was Hacked by Communist Chinese Government

On Monday the U.S. Treasury Department announced that its workstations and several unclassified documents were remotely accessed by Chinese state-sponsored hackers who compromised a third-party software service provider. The agency referred to the attack as a ‘major incident’.

“On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” the U.S. Treasury letter to the Committee on Banking, Housing and Urban Affairs of the Senate said.

The government agencies CISA and the FBI as well as unnamed entities from the intelligence community and third-party forensics investigators were used to analyze the attack. Their conclusion is that the Chinese government launched the attack.

“Treasury has been working with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Intelligence Community, and third-party forensic investigators to fully characterize the incident and determine its overall impact. CISA was engaged immediately upon Treasury’s knowledge of the attack, and the remaining governing bodies were contacted as soon as the scope of the attack became evident. Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” the U.S. Treasury letter said.

“APTs are a moniker used in the cybersecurity community to denote hacking collectives that operate with advanced technical capabilities, persistent attack strategies and often with the financial backing of nation-states,” NextGov said Monday.

The letter went on to say that the compromised BeyondTrust service has since been taken offline.

“At this time there is no evidence indicating the threat actor has continued access to Treasury information,” the U.S. Treasury letter said.

The incident was described as ‘major’.

MORE: THE JEFF FORDLEY FILES - WHAT TO KNOW BEFORE DOING BUSINESS WITH THE CON ARTIST FROM NEW YORK

“In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident,” the U.S. Treasury letter said.

Reuters reached out for comment yet did not get any additional information from the government.

“Treasury officials didn’t immediately respond to an email seeking further details about the hack. The FBI did not immediately respond to Reuters’ requests for comment, while CISA referred questions back to the Treasury Department,” Reuters said Tuesday.

The corporate entity involved did however respond to Reuters’ questions.

“A spokesperson for BeyondTrust, based in Johns Creek, Georgia, told Reuters in an email that the company ‘previously identified and took measures to address a security incident in early December 2024’ involving its remote support product. BeyondTrust ‘notified the limited number of customers who were involved,’ and law enforcement was notified, the spokesperson said. ‘BeyondTrust has been supporting the investigative efforts’,” Reuters said Tuesday.

Channel News Agency reported that China rebuked the claims it had hacked the U.S. Treasury calling the allegations ‘groundless’.

“China denied the claims, with the foreign ministry saying Beijing ‘has always opposed all forms of hacker attacks, and we are even more opposed to the spread of false information against China for political purposes’,” Channel News Agency said Tuesday.

“We have stated our position many times regarding such groundless accusations that lack evidence,” Chinese foreign ministry spokeswoman Mao Ning said.